Skip to main content

Network Access Control List (NACLs)

A network access control list (NACL) is ==a security feature used in cloud environments like AWS to control inbound and outbound traffic at the subnet level==. It acts as a stateless firewall, filtering traffic based on rules you define, and is an optional layer of security for your VPC. NACLs are crucial for network security, helping to restrict access to resources and prevent unauthorized traffic from entering or leaving your network.

Here's a more detailed explanation:

  • Stateless Firewall:​

    Unlike security groups, which are stateful (remember previous traffic), NACLs are stateless. This means that if you allow inbound traffic on a specific port, you also need to explicitly allow the corresponding outbound traffic.

  • Subnet Level Control:​

    NACLs are associated with subnets, and they control the traffic entering and leaving that subnet.

  • Rule-Based Access:​

    NACLs operate based on rules you define. These rules specify which traffic is allowed or denied based on factors like IP addresses, ports, and protocols.

  • Example: You might create a NACL rule to allow only specific IP addresses to access a particular subnet, or to block traffic from known malicious IP ranges, according to AWS documentation.

  • Order of Evaluation:​

    NACL rules are evaluated in order of their rule number, with lower numbers taking precedence, according to AWS in Plain English.

  • Default vs. Custom NACLs:​

    You can have a default NACL that allows all traffic or a custom NACL that denies all traffic by default and requires you to explicitly define rules for allowed traffic.

  • Importance: NACLs are important for adding an extra layer of security to your VPC, especially when dealing with sensitive resources or when you need more granular control over network traffic than security groups provide, says AWS documentation.